You have an Azure subscription that contains several resource groups. Including a resource group named RG1. RG1 contains several business-critical resources.
A user named admin1 is assigned the Owner role to the subscription.
You need to prevent admin1 from modifying the resources in RG1. The solution must ensure that admin1 can manage the resources in the other resource groups.
What should you use?
Click on the arrows to vote for the correct answer
A. B. C. D.C
Role-based access control (RBAC) focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group.
Incorrect Answers:
A: If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions.
B: There are a few key differences between Azure Policy and role-based access control (RBAC). Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system.
D: Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements.
https://docs.microsoft.com/en-us/azure/role-based-access-control/overviewThe correct answer is C. a custom role.
To prevent the user admin1 from modifying the resources in RG1, while still allowing them to manage resources in other resource groups, a custom role can be created with the necessary permissions. Custom roles allow you to define granular permissions that can be assigned to specific users or groups.
Here are the steps to create a custom role to meet the requirements of the scenario:
Identify the specific permissions needed for admin1 to manage the resources in the other resource groups.
Use the Azure Role-Based Access Control (RBAC) feature to create a custom role with the necessary permissions. RBAC enables you to grant granular access to Azure resources based on the user's role assignment.
Assign the custom role to admin1 on the subscription level. This will allow them to manage the resources in the other resource groups but not the ones in RG1.
Verify that admin1 can manage resources in the other resource groups but not those in RG1.
The other answer options are not suitable for this scenario:
A. A management group is a logical container that helps you manage access, policies, and compliance for multiple subscriptions. While it can be used to enforce governance policies, it cannot be used to prevent a specific user from modifying resources in a specific resource group.
B. Azure policy allows you to enforce organizational standards and compliance by evaluating resources for compliance with assigned policies. However, it does not grant or restrict permissions to resources.
D. An Azure blueprint is a declarative way to orchestrate the deployment of various resource templates and policies. However, it does not restrict permissions to resources.